Search

Search for:

Text Widget

This is a text widget, which allows you to add text or HTML to your sidebar. You can use them to display text, links, images, HTML, or a combination of these. Edit them in the Widget section of the Customizer.

Mobile Jon’s 2017 Intune Assessment

Once a year for my amazing firm I do an assessment of Intune. I think it’s important to take a long/hard look at things and just because its Microsoft doesn’t mean its overpriced and bad. Honestly, it has come a long way. I will talk about the basic requirements every one of you should have for a MDM, the gaps from last year, and where it’s at this year. This is simply my expert opinion and it “may” have facts sprinkled in here and there.

The Mobility Baseline

You can carve up your baseline into a few key areas, which we will detail. Of course every company is different, but I will focus on a basic consensus. What I typically suggest is look at your current MDM and ask yourself three questions:

What am I using today?

What should I be using?

What can’t I do that I wish I could?

Anyways, now that I provided some common sense we can move into the categories and show my baseline for a mobility vision.

Enrollment

I think this is really simple. You just need to decide, how much do I trust the Internet and what mitigating controls do I need to not feel so grossed out? The features that I believe are crucial to your enrollment strategy are:

Restricting Enrollment to Device Types, Models. and OS versions

Support to present a EULA to an enrolling device

Ability to sign enrollment profiles

A simple enrollment workflow that actual humans can use

Secure authentication for enrollment

Whitelist/Blacklist model

Apple DEP Support

Support for Corp and Employee-Owned Devices

Device Management

Device management is fairly simple. What can compromise my company? What are the gaps? How do I achieve true DLP? (Check my blog on DLP!) These are some of the things that I suggest you look for:

Seamlessly deploy restrictions profiles

Instantaneous enterprise wipe or full device wipe

Brick wall to ensure only corporate devices can be full device wiped

Seamless support for certificate automation for VPN/WiFi/Email etc.

Deploy Certificate Chains

Deploying payloads for VPN/WiFi/ and whatever else you need

Deploy trusted email and web domains

Deploy payloads based on AD groups

Flexible group creation similar to Exchange Dynamic DLs

Supports a tiered management structure for reporting and overall management

Basic administration functions (reset passcode/lock device/etc)

System Requirements

System Requirements is a weird one. It’s basically “stuff” that makes the engine run. Let’s face it no one wants to know how to sausage is made. They just want it to work. It’s amusing when you assume certain things should work, but many MDMs suck and don’t meet the base requirements sometimes. The system requirements that matter to me are:

Supports standard LDAP and LDAP over the GAL Ports (3268/3269) along with certificate checking for LDAPs

Works seamlessly with subdomains

Basic/Advanced Analytics for Reporting

Supports Role-Based Access Control

Application Management

Application management is a tricky one. Many of you may have no use for it, but many companies are now building their own applications. Every company has different views on application development, but our focus is more on the management of those apps. My suggestions are:

Supports a user-friendly App Store with company-branding

Deploy applications based on group assignments

Support for Apple’s VPP (Volume Purchasing Program)

Supports Internal Apps

Custom categories

SDK Support for SSO/DLP/Analytics etc.

Deploy Web Clips to devices

Ability to update the yearly device signing profiles for iOS devices without needing to redeploy apps

Content Management

Content Management used to be in a similar situation with App Management, but has quickly become the most important aspect of mobile devices with the focus on collaboration. A few of the things you should focus on are:

Support for Office document management (potentially for both internal and external devices)

Provide Offline Access

Enforce DLP Controls for the applications, which must respect Secure Open-In

My Intune 2016 Review

In my Intune 2016 review, I found several red flags that were big failures:

Enrollments are not possible if you require VPN for ADFS integration

Limited certificate automation support (Only Supports SCEP)

Limited Support for restricting devices (cannot block device types nor can you block specific users without removing their license)

Web Domain and Email Domain Support does not exist (Highlighting external domains)

Enterprise Wipes do not work for Outlook in current state

Device Check-ins are very inconsistent

Deploying changes to the environment take 30-60m in some cases (such as branding, new policies, etc)

Issues with deploying email profiles

ActiveSync needs to be opened externally coupled with Add/Block/Quarantine for all EAS devices

No support for creating customized roles for admin accounts

No support for accessing internal file shares

My Intune 2017 Review

I can honestly say that Intune has made some significant strides on their platform. Many of the gaps have been addressed today. The current gaps I’ve found are:

In Review…

I believe that Intune has some great potential, but only if you are closely tied to the Microsoft stack in the cloud. My deep dive into the Intune platform has taught me that there is nothing more powerful than a full O365 environment with E5 licenses. With that, you can capitalize on conditional access powered by Intune compliance, the Azure cloud security stack, and so much more. Unless in non-Microsoft fashion, they decide to open up the Graph APIs to the different MDM vendors to tie in a MDM competitor’s compliance with the Azure stack then Microsoft will be a leader in this space within 2 years.

Published by mobilejon

Post navigation

Text Widget

This is a text widget, which allows you to add text or HTML to your sidebar. You can use them to display text, links, images, HTML, or a combination of these. Edit them in the Widget section of the Customizer.